WE CLAIM: 



1 . A computer security service for a computer network accessible by users and 
comprising services and resources, the computer security service comprising, 

a policy builder component, comprising 

5 a network constituent definition component, for defining user data and 

services and resources data corresponding to the computer network users, 
services and resources, and 

a policy definition component for defining access policies for the 
computer network users, services and resources, 

10 a database component for maintaining user, services and resources data, and 

access policies, and for providing a set of selected access policies in response 
to a database query, and 

a validator component, comprising 

a request parser for receiving a policy query for service or resource access 
15 originated by a network user and for generating a corresponding database 

query for submission to the database component, and 

a policy parser for receiving the set of access policies provided by the 
database component in response to the corresponding database query and 
for generating a policy decision for communication to the network user 
20 based on the set of access policies provided by the database component. 



2. The security service of claim 1 in which the policy builder component comprises a 
graphical user interface for displaying 

a grid having nodes, laid out on a first and on a second axis, 

25 user labels corresponding to the user data, each user label labelling nodes 
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aligned relati^^ro the first axis of the grid, and 



resource labels corresponding to the services and resources data, each 
resource label labelling nodes aligned relative to the second axis of the grid, 

the nodes in the grid corresponding to the access policies for users and services 
and resources, as defined by the user and resource labels. 

3. A graphical user interface for a security service for a computer network, the 
computer network comprising defined users, services and resources, the graphical 
user interface displaying 

a grid comprising nodes laid out on a first and on a second axis, 

user labels corresponding to defined users, each user label labeling nodes 
aligned relative to the first axis of the grid, 

resource labels corresponding to the defined services and resources, each 
resource label labeling nodes aligned relative to the second axis of the 
grid, and 

the nodes in the grid corresponding to access policies for the defined users and 
defined services and resources for the computer network, corresponding to the 
user and resource labels. 

4. A graphical user interface for a security service for a computer network, the 
computer network comprising defined users represented by a business relationship 
tree data structure, the computer network further comprising services and resources, 
represented by a resource tree data structure, the graphical user interface comprising 
display means for displaying 

a grid comprising nodes laid out on a first axis and on a second axis, 

user labels corresponding to the users in the business relationship tree data 



structure, eac^^r label labelling nodes aligned relati^fe the first axis of the 
grid, and 

resource labels corresponding to the defined services and resources in the 
resource tree data structure, each resource label labelling nodes aligned 
relative to the second axis of the grid, 

the nodes in the grid corresponding to access policies for the defined users and 
defined services and resources, corresponding to the user and resource labels. 



5. A computer security service for a computer network accessible by users and 
10 comprising services and resources, the computer security service comprising, 

a policy builder component available to one or more policy managers, for 
defining access policies for the computer network users, services and 
resources, and 

a web-based delegated administration component accessible to users for 
1 5 defining access policies for the computer network users, services and 

resources, the delegated administration component comprising a graphical 
user interface available to users for defining said access policies. 

6. The computer security service of claim 5 in which the delegated administration 
component is implemented as a service supported by the computer security service. 

20 7. The computer security service of claim 5 in which the graphical user interface 
comprises one or more HTML format pages accessible to users. 



8. The computer security service of claim 5 further comprising a delegated 
administration definition component for defining delegated administration 

25 permissions for users whereby users are selectively enabled to use the delegated 

administration component to define access policies for specified resources and users. 

9. The computer security service of claim 8 in which the delegated administration 



55 



o 



definition component TWxher comprises a graphical user interfaHRbr displaying a 
grid having nodes, laid out on a first axis and on a second axis, each node 
corresponding to a variable set of users, potentially including the null set, for which 
delegated administration permissions are granted, the position of each node relative to 
5 the first and second axes in the grid defining the users and the resources, respectively, 
for which permissions are granted for the node. 

10. The computer security service of claim 9, the graphical user interface further 
comprising an array of nodes relative to the second axis for defining specified 
users enabled to modify user data maintained by the computer security service, 

10 the position of each node in the array of nodes, relative to the first axis, defining 

the user data for which the modification of data is enabled. 

1 1 . A computer program product for users with a computer network, said computer 
program product comprising a computer usable medium having computer 
readable program code means embodied in said medium for implementing the 

1 5 computer security service of claim 5, 6, 7, 8, 9, or- 1 0. 



12. The security service of claim 2, the graphical user interface further comprising an 
a array of nodes relative to the second axis for defining specified users enabled to 

modify user data maintained by the computer security service, the position of 
each node in the array of nodes, relative to the first axis, defining the users for 
20 which the modification of data is enabled. 

13. The graphical user interface of claim 3 or 4 further comprising an array of nodes 
relative to the second axis for defining specified users enabled to modify user data 
maintained by the computer security service, the position of each node in the 
array of nodes, relative to the first axis, defining the users for which the 

25 modification of data is enabled. 
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